> ## Documentation Index
> Fetch the complete documentation index at: https://docs.shorpay.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> How Shor keeps your data and money safe.

Shor handles payroll data, identity documents, and money movement, all of which make us an attractive target if we're careless. Security is designed in, not bolted on. This page covers how we keep your data and funds safe.

## Data Security

<CardGroup cols={2}>
  <Card title="Encryption in Transit" icon="lock">
    Every connection to Shor is encrypted with TLS 1.2 or higher. No data moves between your browser or bank and our servers in the clear.
  </Card>

  <Card title="Encryption at Rest" icon="database">
    All stored data (contracts, identity documents, bank details) is encrypted at rest using industry-standard AES-256 encryption.
  </Card>

  <Card title="Secret Management" icon="key">
    Sensitive values (API keys, signing secrets, database credentials) are held in a secrets manager with access tightly controlled and every access audited.
  </Card>

  <Card title="Tenant Isolation" icon="object-group">
    Your data is isolated from every other customer. Queries, authentication, and access checks are scoped by your business, and cross-tenant reads are not possible.
  </Card>
</CardGroup>

## Identity and Access

* **Modern auth**: sign in with email and password or via the sign-in options configured for your workspace
* **Role-based access**: admins and members have different permissions
* **Activity tracking**: significant actions (payroll approvals, funding changes, user invites) are recorded in our systems, with review available on request
* **Session controls**: idle session timeouts and the ability to sign out from your account settings

## Infrastructure Security

* Hosted on modern cloud infrastructure with hardened defaults (private networking, managed secrets, automated patching)
* Production environments isolated from development and staging
* Changes to production require code review and pass automated security checks
* Security reviews on a regular cadence as we scale

<Note>
  Formal compliance certifications (SOC 2, ISO 27001) and third-party penetration testing are on our roadmap as we grow. If your procurement process needs specifics today, reach out to [security@shorpay.com](mailto:security@shorpay.com). We're happy to share our current security posture in detail.
</Note>

## Payment Security

Money movement has additional layers:

<CardGroup cols={2}>
  <Card title="Role-Based Access" icon="user-check">
    Only Admins can fund the account, run payments, or change billing. Members handle day-to-day work without touching the money controls.
  </Card>

  <Card title="Idempotency">
    Every payment request carries an idempotency key. You can't accidentally pay someone twice, even if a browser retry happens.
  </Card>

  <Card title="Monitoring" icon="bell">
    Unusual activity (a sudden increase in volume, a payment to a new country, a change in funding source) triggers alerts for review.
  </Card>

  <Card title="Hard-Failure Handling" icon="circle-exclamation">
    Failed payments don't silently retry to a potentially wrong account. They pause and surface for your review with the specific error.
  </Card>
</CardGroup>

## Regulatory Posture

Shor operates within the regulations of the countries we serve:

* **Money transmission licensing** where required by jurisdiction
* **KYB** for every business on the platform
* **KYC** for every worker receiving payments
* **AML / sanctions screening** on every payment before it goes out
* **Data residency** options for customers in regions that require it

## Incident Response

If we detect a security issue, we act fast:

* Immediate containment (isolating affected systems)
* Customer notification if your data is involved
* Post-incident review, published to affected customers
* Preventive changes to ensure it doesn't recur

You can report a suspected security issue to [security@shorpay.com](mailto:security@shorpay.com).

## What You Can Do

Security is a shared responsibility. Some things you can do to strengthen your own account:

* **Use a strong unique password** with a password manager
* **Give admins the minimum access they need**: don't make everyone an Admin
* **Verify changes to bank details** out-of-band before approving them (fraud attempts often target bank account updates)
* **Review your team list quarterly** and remove access for anyone who's moved on

## Next Steps

<CardGroup cols={2}>
  <Card title="Data Privacy" icon="shield-halved" href="/platform/data-privacy">
    What personal data Shor collects and how it's handled.
  </Card>

  <Card title="KYC / KYB" icon="user-check" href="/platform/kyc-kyb">
    How identity verification works on Shor.
  </Card>
</CardGroup>
